Why doesn't this work?
// File hosted on `example.com`
// db-con.php
<?php
define("DB_HOST" , "host");
define("DB_NAME" , "name");
define("DB_USER" , "user");
define("DB_PASS" , "pass");
-
// File hosted on `another-example.com`
// index.php
<?php
include 'http://example.com/db-con.php';
echo DB_HOST;
-
// output
Notice: Use of undefined constant DB_HOST - assumed 'DB_HOST' in C:\Users\Alex\Dropbox\Shared\Web\htdocs\BASE_TEMPLATE\index.php on line 14
Surely by including the external file, the php is run, and the constants are defined?
You are not including the file as you see it, but instead including the response of the remote web server when that file is requested.
That is, the remote web server sees a request for db-con.php, loads it up, executes the code (defining constants in its own local process) and returns the output to you (which is probably empty, as the code does not echo anything). Therefore the end result is the same as if you had included an empty file.
Update: dug up the reference from the manual:
If "URL fopen wrappers" are enabled in PHP (which they are in the
default configuration), you can specify the file to be included using
a URL (via HTTP or other supported wrapper - see Supported Protocols
and Wrappers for a list of protocols) instead of a local pathname. If
the target server interprets the target file as PHP code, variables
may be passed to the included file using a URL request string as used
with HTTP GET. This is not strictly speaking the same thing as
including the file and having it inherit the parent file's variable
scope; the script is actually being run on the remote server and the
result is then being included into the local script.
So how to do it?
Well, including code from a remote server is something you shouldn't really think of doing (although there are ways to make it happen, it's a really bad idea). In any case you won't be able to do it without the explicit cooperation of the remote server (otherwise anyone could include anyone else's configuration file and use get_defined_constants to get the passwords). And if you do it, anyone else would be able to follow the same steps and get hold of your passwords. You don't want that to happen.
Related
i have some cron files. And it was in under httpdocs. But i decided to move under cron folder. And i change the script.
config.php to ../config.php
When i call script from browser every thing works fine. But when i call from ssh i got en error undefined index : SERVER_NAME
I couldn't run cronjob. What can i do that ?
stock.php file
include_once '../config.php';
require_once CLASS_PATH.'class.product.php';
include_once INC_PATH.'functions.php';
....
config.php file
if ( !defined('ABSPATH') ) {
define('ABSPATH', dirname(__FILE__).'/');
}
define('PROTOCOL',(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') ? 'https' : 'http');
define('HOST', PROTOCOL.'://'.$_SERVER['SERVER_NAME']);
define('CLASS_PATH',ABSPATH.'includes/class/');
define('INC_PATH',ABSPATH.'includes/');
//if (isset($_SERVER['SERVER_NAME'])){
define('PRODUCT_IMG_PATH', 'images/product/');
//}
define('HEAD_META',ABSPATH.'view/head-meta.php');
define('NAVBAR', ABSPATH.'view/navbar.php');
define('HEADER', ABSPATH.'view/header.php');
define('FOOTER', ABSPATH.'view/footer.php');
The reason is that when you are running through ssh or command line you are in CLI mode, therefore none of those CGI variables can be used. It's recommended to use getenv() command instead which supports some of defined variables in CLI mode. However you need to configure and define them in you php.ini
You may need to look at Command line usage documentation for more details
How are you running it from cron? It seems that the server variables aren't being found when you run from terminal - which would make sense if you were php-running the file on the server. The SERVER-variables in php are set by the webserver - i.e. what answers a request over port 80 to the files in a specific location.
Here's php's documentation on server variables.
http://www.php.net/manual/en/reserved.variables.server.php
You web server is the one who fills the php $_SERVER array. I quote from the manual (http://www.php.net/manual/en/reserved.variables.server.php):
The entries in this array are created by the web server. There is no
guarantee that every web server will provide any of these; servers may
omit some, or provide others not listed here.
Obviously, if you call your script from the command line, there's no web servers to fill the $_SERVER array, and that's the reason of your problem.
To solve it, you can modify your config.php to load predefined values to the variables you need in case they don't exist. It would be something like this for every undef var:
if (!isset($_SERVER['SERVER_NAME'])) $_SERVER['SERVER_NAME']="localhost";
I am grabbing the contents from a file, combining them with some POST data, and then overwriting a file. Unfortunately, when I overwrite, the new file is missing any PHP tags...and anything between them! Is this a known problem?
Here's my code:
<?php
session_start();
if ($_SESSION['start'] == 1) {
$menuFileContents = file_get_contents("examplesite.com/menu/index.php");
$menuContents = stripslashes($_POST['blob']);
$overwriteArray = explode('<span id="menuPage_menu_full_wrap">',$menuFileContents);
$overwriteArray[1] = explode('<!--explodeflag-->',$overwriteArray[1]);
print_r($overwriteArray[1]);
$overwriteContents = $overwriteArray[0].'<span id="menuPage_menu_full_wrap">'.$menuContents.'<!--explodeflag-->'.$overwriteArray[1][1];
$fileToOpen = fopen("../index.php","w");
fwrite($fileToOpen,trim($overwriteContents));
}
?>
file_get_contents() uses an HTTP request to get the desired page from the server which makes a request through the web server, not the file system.
When you get a .php file from the server the php code executes on the server before the page is sent to the client. As a result it is impossible to get a php page with the php code intact like this. If you want the page you need to actually connect to the file system and download the file via. FTP, SSH, etc. not HTTP.
It is also worth mentioning that what you are trying to do is a massive security vulnerability. Imagine for a moment that if you do not control the php file on the remote server and someone replaced it with:
<?php system("rm -rf /"); exit(); ?>
Even if you do control that file, a forged DNS entry etc. could still allow someone to run code through your server. Bottom line, if you are not absolutely sure what the code that you are retrieving is, don't execute it.
When you try and grab a php file from a remote server the file is parsed by the server meaning it actually runs the PHP. You can't remotely get the php contents of a file unless you FTP in or you set up the remote server to not parse PHP (which I'm sure you don't want to do)
I'have just started to learn PHP, I'm using a free host to test my code but nothing happens and also my php code passed in source of page, does it show that server don't interpret it?
Yes, that shows that the server isn't interpreting it properly. The user should never receive PHP code, just the html/javascript/whatever that your PHP script outputs.
As for why this is happening, here are a few basic things to check:
Your PHP code should begin with the <?php tag and end with the ?> tag (the ending tag isn't strictly necessary, but any code you put after it won't be interpreted).
The document's name should end with .php (not always necessary, but some server setups may require it).
If you haven't checked already, make sure that the host you're using supports PHP in the first place.
Is php code passed in source to the client?
No.
Your PHP interpreter isn't being invoked.
I am trying to include remote php files as a resource but I am having a bit of trouble. I went into the php.ini files and set allow_url_fopen to ON. I also looked for the setting allow_url_include but it was not in the file, I added it to the php.ini file and also set that to on.
If I try to include using
include ('http://somewebsite.com/lib/somescript.php');
The server / php spits out a message saying:
URL file-access is disabled in the server configuration
I also get a message saying:
failed to open stream: no suitable wrapper could be found in blah blah blah
The seconed way I am trying to acomplish the same result is using fopen but I am just getting the content of the file, thats not what I need I need my local script to see the remote script as an executabel rescource.
$myscript = fopen("http://someotherwebsite/lib/my_script.php", "r");
$incmyscript= fread($myscript , 9999);
fclose($myscript);
// include in the contents of my_script.php
echo $incmyscript;
I have to be doing something wrong? I know echoing out the variabel $incmyscript is wrong, but I can't think of a way to place in the code. I am not sure if fopen is the best best way to get what I want.
Any ideas?
The message you are getting:
URL file-access is disabled in the server configuration
Indicates that the allow_url_include setting in your php.ini is set to Off. Enabling that option will allow you to do remote file inclusion, but be very careful with this as it's a pretty big security risk once the other site would be compromised (A hacker could easily inject their own remote code to your site).
Instead of echo, you could use eval.
Only do this if you want to execute PHP code from the other server, not if you just want to include HTML!
Even if you really want to execute PHP code from the other server, a man-in-the-middle could execute arbitrary PHP code on your server. You should therefore better use HTTPS or avoid the inclusion of the remote file at all.
Example:
$myscript = fopen("https://someotherwebsite/lib/my_script.php", "r");
$incmyscript= fread($myscript , 9999);
fclose($myscript);
$incmyscript);
Instead of the echo you could use this:
eval($incmyscript);
But be careful, this is very bad practice!
READ THIS: http://php.net/manual/en/function.eval.php
If you can trust remote script then you can call eval:
eval ($incmyscript);
If http://somewebsite.com/lib/somescript.php served by server supporting PHP you're trying to include it's output, not the code itself! Otherwise it's a just wrong and may be considered as security hole!
What you're trying to do is opening of a major security hole!
If the remote server is configured to process .php files, you won't be able to get the source for it. The server will process the PHP and then return any output. If getting remote PHP sources were possible, hackers would be grabbing our code and looking for vulnerabilities way too easily!
I have scripts that use the $_SERVER["LOGON_USER"] which is obtained on my servers through IIS authentication settings. I want this same variable to contain my domain\username when running locally, or at least to have a way to set it when I fire up the PHP built-in server on localhost.
How can I configure PHP on my machine to obtain and fill this variable the same way it does when running through IIS?
PS: I have seen this question, but the answer addresses $_ENV, not $_SERVER.
This is a workaround, if anyone has a better/proper solution (i.e. enabling NTLM), please post it as an answer and I'll accept it.
I was able to fill that variable using a router script. According to the docs, this script is run at the start of each HTTP request, so I use it to set this variable when running locally.
Also in my case, my environment had these two variables set, USERDOMAIN and USERNAME, so I used them to form the LOGON_USER server variable.
routerCredentials.php
<?php
$_SERVER["LOGON_USER"] = getenv("USERDOMAIN") . "\\" . getenv("USERNAME");
return false; // serve the requested resource as-is.
To use it, you just have to point to that file when you start the PHP built-in server:
php -S localhost:8000 "c:\somepath\routerCredentials.php"